Press & Mentions

To handle internal cybersecurity compliance audits effectively, organizations should conduct regular internal audits to assess their compliance status before the official audit. This practice helps identify vulnerabilities, ensure adherence to regulatory standards, and maintain a robust security posture.

A best practice to follow is to maintain detailed documentation of all security policies, procedures, and controls. This documentation is crucial for auditors to verify compliance and for the organization to demonstrate its commitment to cybersecurity.

Additionally, organizations should keep their systems and software updated, strengthen identity and access management, prepare for incident response and reporting, secure third-party vendor compliance, and train employees on compliance and security practices. These steps not only help in passing the audit but also enhance the overall cybersecurity posture of the organization.

The most influential person in my career was my father, James Knauss, who passed away this past year. His profession as a Master Electrician was a far cry from the Chief Information Security Officer role I ended up in, but the gap between our fields didn’t matter. He taught me three critical lessons that formed the very essence of who I am, both as a person and as a leader in cybersecurity.

The first two lessons were foundational pillars of character and professionalism. First, be honorable: if you make a promise or a commitment, you must honor it at all costs. This principle of unwavering integrity is non-negotiable. Second, he taught me that “being on time is being late,” instilling a habit of always showing up five minutes early. This simple act demonstrates respect, readiness, and a commitment to not wasting the time of others.

Finally, the third lesson was about temperament and impact: never raise your voice. He taught me that the easiest voice to hear and understand is the soft, measured one. In a high-stress field like cybersecurity, this lesson has been invaluable. It taught me that true strength in leadership comes not from volume, but from clarity, calm, and the unshakeable reliability he exemplified. These three principles are the bedrock of my professional life.

"Dont take a job you cant get excited about" ... That advice is pretty much the whole game, because that initial excitement is the wellspring for all your resilience later on. It's not about the surface-level cool factor of a product; it's about having a gut-level belief in the company's mission. That purpose becomes your anchor when things inevitably go sideways. When you're dealing with a system outage at 3 AM or a project that's completely off the rails, the only thing that keeps you going is the knowledge that you're fighting for something that matters. Without that core conviction, the constant pressure is just a grind that will absolutely burn you out.

My go-to problem-solving technique is always ‘factoring the problem’. The core idea is to take a large, complex, and often overwhelming issue and break it down into the most atomic, solvable components you can. By refusing to engage with the large problem and instead focusing on the smallest possible sub-problems, you can make steady progress, isolate points of failure, and build momentum toward a complete solution. It turns an intimidating challenge into a manageable checklist.

My number one actionable tip for achieving significant goals in 2025 is to boil your primary goal down to a single, clear, affirmative sentence. This approach is effective because it shifts the focus from relying on motivation, which is a fleeting feeling, to establishing a durable sense of purpose. The very act of creating this sentence forces you to cut through the noise and distractions of daily life, providing absolute clarity on what is essential. This process transforms a vague aspiration into a concrete, personal mission.

The big issue with widespread VoIP adoption is that it radically expands the attack surface. It’s no different from any other critical app we’ve moved to the cloud; it’s just data packets now.

I’m concerned about targeted SIP-based DDoS attacks taking down our entire comms stack, or sophisticated vishing campaigns that spoof internal extensions to hit our execs. And toll fraud is a real budget-killer.

Because it’s IP-based, it’s wide open to the classic network-layer attacks: eavesdropping, man-in-the-middle on call signalling, you name it. If that traffic isn’t encrypted end-to-end (both signalling and media), we’re exposed.

Honestly, it just boils down to fundamentals. We have to treat it like any other critical workload: strong encryption, proper network segmentation to isolate the voice VLAN, and relentless user training on vishing. It’s just another high-priority asset to defend.

The best defence against AI scams and deepfakes isn't new technology; it's a new mindset. We have to treat every urgent, out-of-the-blue request with a healthy dose of skepticism. The golden rule is to 'verify before you act.' If a call or message asks for sensitive information or a quick transfer of funds, hang up and use a trusted, pre-saved contact number to verify the request. This simple action disrupts the scammer's timeline and gives you the control back.

As CTO, I view managing technical debt not as a cleanup chore, but as a core part of our strategic risk and resource management. While allocating a percentage of our time—say, 10%—to refactoring is a common tactic, a mature approach goes much deeper, focusing on proactive prevention and targeted repayment.

Make Debt Visible and Quantifiable

First, you can’t manage what you don’t use. We treat technical debt like a financial liability on a balance sheet. We use a combination of static code analysis tools, tracking code complexity, identifying outdated dependencies, and creating a formal "debt registry." Each item in the registry is tagged with its potential impact—Is it slowing down feature development? Does it pose a security risk? Is it impacting system performance? This makes the abstract concept of "debt" concrete and allows us to discuss it in business terms.

This is where the real leverage is. The cheapest debt to fix is the debt you never create. Foundational to this is our strict, automated patching schedule for all dependencies and systems, as unpatched vulnerabilities are one of the most dangerous forms of technical debt. We also enforce Infrastructure as Code (IaC) for configuration management to prevent drift and ensure our environments are reproducible and consistent, which eliminates a massive source of operational debt. Beyond that, we have a lightweight architectural review process to prevent decisions that would paint us into a corner years from now. Finally, our definition of "done" for any task includes adequate testing, documentation, and adherence to our established coding standards. Cutting these corners is how debt starts, so we simply don't allow it.

We don’t just give teams a flat "10% tax" to work on whatever they want. We manage our debt registry like a product backlog and explicitly pull in debt-related items alongside new features during planning. The prioritization is driven entirely by impact. We always address high-risk debt, like security vulnerabilities and stability issues, first. Next, we target "interest rate" debt in areas of the codebase where we are actively developing, as paying this down immediately accelerates new feature delivery. Some debt, however, is fine. If a piece of ugly code is in a part of the system that rarely changes and works reliably, we consciously choose to leave it alone. There's no value in refactoring for the sake of elegance.

As a cybersecurity expert, I believe password managers are a vital tool for enhancing online security. They simplify the process of managing strong, unique passwords for multiple accounts, which is crucial in today's digital landscape.

However, it’s important to use them correctly to maximize their benefits. One crucial tip for using password managers securely is to enable multi-factor authentication (MFA).

MFA adds an extra layer of security by requiring not only your master password but also a second form of verification, such as a code sent to your phone or a biometric scan.

This significantly reduces the risk of unauthorized access, even if your master password is compromised.

Additionally, ensure you choose a reputable password manager that offers robust security features and regularly updates its software to protect against emerging threats.

Tony's idea was to take an MP3 player, build a Napster music sale service to complement it, and build a company around it," Knauss said. "Tony had the business idea." Knauss said Fadell left Philips and set himself up as an independent contractor to shop the idea around. Knauss said Fadell approached several companies and was turned away by all of them, except for Apple.

The interesting thing about the iPod, is that since it started, it had 100 percent of Steve Jobs' time. Not many projects get that. He was heavily...

"Tony's [Fadell's] idea was to take an MP3 player, build a Napster music sale service to complement it, and build a company around it. Tony had the business idea."

"#Winprog smacks you in the face with your failure", Knauss said.

The clock may be ticking. Recent rate cuts could signal a downward trend, meaning these attractive annuity payouts might not last. For those on the fence, the risk of waiting is that you could lock in a lower income for life.